What challenges can individual organisations, and the security industry at large, expect to face in the year ahead? With 2013 upon us, Phil Muncaster gathers the predictions and advice of infosec experts.
Information security experts have something of a thankless task at this time of year, when all we want to hear about are their suggestions for major trends and security events for the 12 months ahead. The cyber crime industry will be moving at a typically unpredictable, breakneck speed – innovating, adapting, attacking – and organisations will have to stay on top of their game to stay safe. To an extent, the themes of the next 12 months will be a familiar evolution from those of the last 12, but inevitably there will be a handful of shocks along the way – an event as momentous as Stuxnet or Aurora usually takes even the experts by surprise.
One area where it is a little easier to predict the coming year's big challenges is that of legal and regulatory compliance. There was plenty to keep security and data privacy professionals busy in 2012, and they should expect no let-up in the coming months, as European regulators continue to refine the wide-ranging Data Protection Regulation, UK data protection watchdog the Information Commissioner's Office (ICO) begins to target more fines at businesses, and cloud computing comes under increasing regulatory scrutiny.
The key to coping with this oncoming regulatory maelstrom is awareness, preparation and reaching out at an early stage to legal teams, according to Stewart Room, data protection specialist and partner at Field Fisher Waterhouse. He warns, for example, that the ICO has been shaping up for a while now to make an example of private companies that have been found wanting in this space by levying some big fines against them. Also on the horizon, he says, are more legal challenges to the fairness of the sums involved as the industry continues to mature.
Issues, threats and solutions
Cloud computing will also garner increasing attention from European and UK regulators. In the summer, European privacy regulators published a joint paper on the cloud, followed in October by the ICO's opinion. In short, these documents say it is lawful to put personal data in the cloud, but stress four elements to ensure ongoing compliance: pre-contractual due diligence; transparency on the part of the service provider; good quality contracts; and ongoing monitoring and auditing.
“The [regulators'] focus on cloud is more substantial than we might believe – they're doing proper work on this,” says Room. “The thinking is quite advanced. They know people are adopting, and as a result cloud is on the radar. So if you have a data protection problem in 2013, they will look at it.”
The European Data Protection Regulation (see page 25), on the other hand, aims to harmonise laws in the region, covering areas such as data breach notifications, cross-border data transfer and the so-called ‘right to be forgotten'. Although it is nowhere near finished, Room warns that the changes it will eventually bring in will be “so big and so pervasive” that compliance won't be achieved overnight, so preparation should begin now. “The regulators are already regulating on the basis that it will come in, so they've already crossed over to a new environment,” he adds.
The companies that will cope best in 2013 are likely to be those that have already scoped out how the evolving regulatory environment may affect them.
“Threats, vulnerabilities and weaknesses are being better understood, but the problems materially will increase in frequency, and if you don't believe security is a regulated matter, await your fate, because if you do have a problem you could suffer terribly,” says Room. “The cost of dealing with a regulatory matter could be massive. You need to think ‘what does security look like?' in a legal sense, and then consider how comprehensive your policy framework is.”
A common problem, in the case of data breaches, is information security bosses failing to get their legal teams involved early enough. This sometimes exacerbates a situation as many investigations can themselves generate additional legal problems – for example, those around user privacy. “The most overused word in technology is ‘holistic', but you need to get holistic about incident response,” says Room.
Another given for 2013 is that security concerns about mobility and ‘bring your own device' (BYOD) will continue to grow among organisations of all sizes. In fact, new research from analyst Ovum of more than 4,000 employees found that 70 per cent of smartphone-owning professionals now use their device to access corporate data, with a worrying 80 per cent of BYOD activity said to be inadequately managed by IT. Nearly half of the respondents' corporate IT departments either did not know of BYOD or chose to ignore it, while a further eight per cent discouraged it, the study found.
There is no one-size-fits-all approach here, but an effective strategy could include providing anti-malware capabilities, limiting the amount of corporate data on devices, and using network access control functionality to recognise devices as they access the corporate network, according to Quocirca analyst Bob Tarzey.
“It's not a fact of whether or not BYOD is right, it's a fact of life – unless you're frisking your staff at the door, they'll be in your organisation using their iPads and smartphones; you can't stop that,” he adds. “Businesses have to accept that and they are. You need the right balance and to have the right policies in place – it's not rocket science.”
Tarzey warns that attacks are likely to become increasingly focused in 2013 as cyber criminals realise their chances of success with highly concentrated efforts are much higher than with traditional scattergun approaches. As always in these instances, user education will be vital in fortifying that first line of defence, he adds. In the case of advanced persistent threats (APTs) and sophisticated targeted attacks, it is often a simple piece of social engineering that tricks the user into opening a malicious email attachment or clicking on a link, providing the attacker with that vital foot in the door.
Deloitte technology security partner James Alexander agrees on the people front, predicting that organisations will try to evolve a culture that is “security aware, privacy aware and knows the value of the information it holds”. He adds: “We'll continue to see the people aspect of security focused on and improved. It's something we all know is very important but is often not done or done separately. You can protect at the machine level, but you need to do this at the people level too.”
For William Beer, information security director at PricewaterhouseCoopers, some of the better-resourced organisations will look to Big Data analytics and security intelligence to help in the fight against APTs and sophisticated targeted attacks.
“More organisations will move away from a ‘defence in-depth' approach to an ‘assumed state of compromise' approach, with the focus on incident response and resilience,” he adds. “More business leaders will also become involved in supporting and aggressively challenging the security team's strategy and approach. This will result in many security functions being completely reviewed and restructured.”
For the larger companies, 2013 is likely to usher in a greater readiness to use many of the tools and techniques hitherto found only in the defence sector, according to Wendy Nather, a senior analyst at The 451 Group.
“They need to understand who would be targeting them and why. Once you've narrowed this down to a particular threat actor, it helps you form your defence,” she argues. “As more deceptive and proactive technologies come into the commercial sector, they'll get commoditised and be within the reach of those currently just buying unified threat management systems.”
However, Nather adds, the industry as a whole needs to focus more on the basic security needs of the “silent majority” of companies – those under-resourced, under-skilled firms that, she says, desperately need guidance. “These are the ones that don't make it to the security conferences; that have one security professional in a 20,000-person organisation; that don't know where to start. Most of the things we talk about are so far out of their reach,” she says. “Companies below the security poverty line are disproportionately dependant on third parties for support. We also need to design systems that are much harder to hack, and easier to use right out of the box. All sections of the security industry need to get involved because there's a dire disconnection at the moment.”
Unfortunately for organisations of all sizes, hacktivism is well and truly here to stay. Yet as businesses use more sophisticated techniques to find out whether an attack has come from a group such as, say, Anonymous, whose methods have now become pretty familiar to the security community, the threat can be mitigated.
The Anonymous effect may also have a positive impact on breach disclosure, argues Nather. “Groups like those whose purpose it is to publicise breaches and cause as much embarrassment as possible have, by hitting arbitrary targets, almost democratised breaches. It's become more acceptable to talk about breaches,” she says. “Those firms that would have hidden a breach in the past are entering the conversation because it's easier for them to be lost in the crowd. It then becomes more acceptable for them to talk about how to respond to it.”
Fighting cyber crime
Alas, the dynamic, multi-jurisdictional aspect of cyber crime will always give the criminals the upper hand, although next year's planned opening of a European Cyber Crime Centre offers some hope of improved cross-border cooperation. The Europol-led unit will target all forms of organised online crime, from child exploitation to ID theft, unify cyber crime reporting across the region and gather information to support the law enforcement efforts of individual countries.
“There needs to be better cooperation between nation states,” says Tarzey. “It's not just a problem to coordinate the response, but also to motivate the right individuals to investigate a crime that doesn't impact their citizens. It's not happening yet but is being talked about.”
Whether it takes a truly international incident of cyber terrorism in 2013, as has been predicted for some years now, to motivate governments around the world to work together on cyber law enforcement remains to be seen. The more likely outcome, despite the efforts of bodies such as the International Cyber Security Protection Alliance, is continued, limited, bipartisan cooperation that varies depending on the countries involved.
There are no looming pieces of cyber security-related legislation ready for the statute books either, and there is certainly not enough time to craft anything to cover such a fast-moving and amorphous area, according to Nather. “There will be bits and pieces in bills here and there to address some issues, but one of the big problems is attempting to write legislation to control something that is not meant to be centrally controlled, like the internet,” she adds.
So which organisations will be the best placed to deal with the coming threats? Well, fundamentally it is those that understand the limits of dealing tactically with point solutions, as and when problems turn up, according to Deloitte's Alexander.
“They need to start asking that hard question of ‘what is our most valuable information, where is it, who has access to it and how do we protect it?'. Taking an info-centric view of security will be a big trend in 2013,” he says. “There's still a huge way to go for organisations on this topic.”